CVE-2025-66738HIGH 8.8EPSS p43.8%

CVE-2025-66738CVE-2025-66738

Description

An issue in Yealink T21P_E2 Phone 52.84.0.15 allows a remote normal privileged attacker to execute arbitrary code via a crafted request the ping function of the diagnostic component.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.60% probability of exploitation · percentile 43.8% · 2026-06-18T12:00:27Z
Published2025-12-26
Last modified2026-01-09

Underlying weaknesses· 1

CWE-77

References

  1. http://yealink.com
  2. https://drive.google.com/file/d/13t5ywSPJMx4487njJcH3ZTNuc_k3h4ty/view?usp=sharing

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in a Command ('Command Injection')cwe-770%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-21238
CVE
CVE-2025-21201
CVE
CVE-2025-21239
CVE
CVE-2025-21237
CVE
Yealink Device Management Server-Side Request Forgery (SSRF) Vulnerability
CVE
CVE-2025-21286
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.